SANS ISC

[SANS ISC] Basic Obfuscation With Permissive Languages

I published the following diary on isc.sans.edu: “Basic Obfuscation With Permissive Languages”: For attackers, obfuscation is key to keep their malicious code below the radar. Code is obfuscated for two main reasons: defeat automatic detection by AV solutions or tools like YARA (which still rely mainly on signatures) and make the code

SANS ISC

[SANS ISC] PowerShell: ScriptBlock Logging… Or Not?

I published the following diary on isc.sans.org: “PowerShell: ScriptBlock Logging… Or Not?“: Here is an interesting piece of PowerShell code which is executed from a Word document (SHA256: eecce8933177c96bd6bf88f7b03ef0cc7012c36801fd3d59afa065079c30a559). The document is a classic one. Nothing fancy, spit executes the macro and spawns a first PowerShell command… [Read more]

SANS ISC

[SANS ISC] Investigating Microsoft BITS Activity

I published the following diary on isc.sans.org: “Investigating Microsoft BITS Activity“: Microsoft BITS (“Background Intelligent Transfer Service”) is a tool present[1] in all modern Microsoft Windows operating systems. As the name says, you can see it as a “curl” or “wget” tool for Windows. It helps to transfer files between

1 2